Release Notes and Announcements
- Release Notes
- Product Announcement
- Security Advisory
User Guide
Product Introduction
Purchase Guide
- Billing Overview
- Purchase Guide
- WAF Plan Upgrade Method
- Renewing Connections
- Payment Overdue
- Refund
Getting Started
- Getting Started
- FAQs for Beginners
Operation Guide
- Security Overview
- Connection Management
- Security Operations
- Protection Policies
- Service Settings
Practical Tutorial
- WAF CCP Overview
- Bot Management
- API Security
- Integration
- Protection Configuration
API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Asset Management APIs
- Billing APIs
- Protection Settings APIs
- Other APIs
- IP Management APIs
- Integration APIs
- Log Service APIs
- Security Overview APIs
- Rule Engine APIs
- Data Types
- Error Codes
FAQS
- Product Consultation
- Connection
- Usage
- Permissions
- Sandbox Isolation Status
Service Level Agreement
WAF Policy
- Privacy Policy
- Data Processing And Security Agreement
Contact Us
Glossary

Custom Policy

Focus Mode

Font Size

Last updated: 2026-04-28 14:26:44

Feature Introduction
Access Control policies support combining multiple features from HTTP packets, such as request paths, GET parameters, POST parameters, Referer, and User-Agent, to manage public network user access through feature matching. To counter various attacks from the internet, Tencent Cloud users can leverage Access Control policies to respond flexibly, creating targeted rules to handle different types of attacks.
Note:
Rule types are categorized as either single-domain rules or batch multi-domain rules. The total number of rules for each domain is the sum of its single-domain and batch rules.
The maximum number of rules configurable for a single domain varies depending on the plan edition. For details, refer to Plans and Editions.
Each access control policy can configure up to 5 conditions for feature control.
The multiple conditions in each access control policy are in an "AND" relationship, meaning the policy takes effect only when all conditions are matched.
Action: For each access control policy, you can configure five processing actions after a match: Block, CAPTCHA, Observe, Redirect, and JS Validation.
Block: WAF intercepts the access that hits the policy.
CAPTCHA: WAF performs human-machine recognition by the Captcha on the access that hits the policy.
Observe: WAF observes the access that hits the policy.
Redirect: WAF redirects the access that hits the policy.
JS validation: WAF performs JS validation on the access that hits the policy.
Note:
JS validation is supported only in the Enterprise edition and above. If your current edition does not support it, upgrade your WAF edition first. For details, see WAF Plan Upgrade Method.
Effective modes: Four different configuration options are supported: immediate, custom, weekly, and monthly.
Priority: The smaller the priority value, the higher the priority. That is, 1 has the highest priority, while 100 has the lowest.
Configuration Cases
Example 1: Prohibit a specific IP address from accessing a specified site
When website administrators need to prohibit a specific IP address from accessing a specified site, they can perform the following configurations:
1. Log in to the WAF console, and in the left sidebar, click Protection Policies > Basic Security.
2. On the Basic Security page, select the domain to protect in the top-left corner, click Access Control to go to the Access Control page.
﻿
3. On the Access Control page, click Add rule to go to the Add Custom Protection Rule page.
4. On the Add Custom Protection Rule page, enter a Rule name (such as 001), select a field (such as Source IP) under Field, choose "Belong to" as the Operator, enter the source IP address to be blocked (such as 192.168.1.1) in Content, select an Action (such as Block), and then click OK to save the rule.
﻿
Note:
The Access Control policy of Web Application Firewall (WAF) supports using subnet masks to control access requests from specific IP address ranges. You can enter a specific IP address range (such as 10.10.10.10/24) in the matching content.
5. The rule will take effect immediately, and all HTTP access requests from the specified source IP address will be blocked.
﻿
Example 2: Prohibit public network users from accessing specific Web resources
When website administrators want to prevent public network users from accessing specific Web resources (such as admin backend /admin.html), they can configure as follows: select "Request Path" under Field, choose "Is" as the Operator, enter /admin.html in Content, select "Block" for Action, and click Ok after the configuration is completed.
﻿
Example 3: Prevent external sites from accessing resources through hotlinking
When website administrators need to block hotlinking behavior from external sites (such as www.test.com), they can use the Access Control policy to capture and block requests based on Referer characteristics. Configure as follows: select "Referer" under Field, choose "contains" as the Operator, enter www.test.com in Content, select "Blocking" for Action, and click OK after completing the configuration.
﻿
Example 4: Copy the policy to the target domain
When a policy is configured, if you want to apply it to other domains simultaneously, you can achieve this by copying the policy.
1. On the Basic Security > Access Control page, select the desired policy and click Copy, displaying the Copy Custom Policy dialog box.
﻿
2. In the Copy custom rule dialog box, select the target domain and click OK to copy the policy to the target domain.
﻿
﻿